Run Trivy scan on build (#170)

davidcollom · web-flow · commit 3a8b888d8bad · 2024-04-09T11:29:16.000+01:00
diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -83,7 +83,18 @@ jobs:
       with:
         context: .
         platforms: ${{ matrix.platform }}
+        load: true
         push: false
         tags: quay.io/jetstack/version-checker:${{github.sha}}
         cache-from: type=gha
         cache-to: type=gha,mode=max
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@0.19.0
+      with:
+        image-ref: 'quay.io/jetstack/version-checker:${{github.sha}}'
+        format: 'table'
+        exit-code: '1'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
